ESCALATED: Unauthorized access to private repositories via DeployToken

HackerOne report #686359 by xanbanx on 2019-09-02, assigned to jmatos_bgtvf:

Hi GitLab security team

Summary

I found a quite severe problem in your implementation of deploy tokens. Deploy tokens can have the read_repository scope or read_package scope. For now on, consider theread_repository scope, but keep in mind the vulnerability also applies to the read_package scope.

So deploy tokens can be created per repository. However, as it should, these tokens are only displayed once upon creation to the user who is creating the token. So only the user who created the token actually gets it.

However, this token is only bound to the project. There is no relationship between the token and the user who created it. This means, if the user is removed from the project, he still has access to the repository via the deploy token. Furthermore, there is no log who created the deploy token and who used the deploy token at what time. So although the user was removed from the project he still can get all code updates from the repo.

Steps to reproduce

This was tested on a local installation of GitLab Enterprise Edition 12.3.0-pre gitlab-ce@33da820c3a0b3be6440ef1e9a1308a603d2b8869

  1. Create a private repository and push some code
  2. Add another maintainer to this project, denoted as User_B
  3. Let User_B create a deploy token at http://gitlab.example.com/<namespace>/<project>/-/settings/repository with read_repository scope. Now the new deploy token is presented only once to User_B. He is the only person, which is in possession of token
  4. Remove User_B from the project.
  5. Let User_b to perform a git clone http://<deploy-token-user>:<deploy-token>@gitlab.example.com/<namespace>/<project>.git operation using the previously created deploy token

Now, User_b has again access to the code, although he was removed from the project.

Impact

Unauthorized users can gain code access to a private project. Actually, this situation is actually quite common. Let's consider an IT admin, who is responsible for the CI setup. He is maintainer of the project and thus adds a deploy token, which only he is in possession of (because it was presented only to him). Now, this person gets offboarded and thus gets removed from the project. However, because he still has the deploy token he still can access the code.

What is the current bug behavior?

Removed users still have code access to the repository via deploy tokens.

What is the expected correct behavior?

Deploy tokens must have an owner. As soon as the owner of the deploy token is removed from the project, the deploy token is revoked, thus also disables the code access to the project for the person who received the token.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Best,
Xanbanx

Impact

See above.

Edited by Dan Jensen